Researchers Claim VPN Bypass on Android KitKat

Security researchers at Ben Gurion University have uncovered what they say is a network vulnerability on Google Android devices that could be used to allow malware to bypass VPN.

According to the university’s Cyber Security Labs Team, the vulnerability has been verified in both Android Jelly Bean 4.3 and Android KitKat 4.4.

“At first we could not reproduce it with the original vulnerability code since KitKat has a modified security implementation,” according to the team’s blog. “Following an elaborate investigation we were able to reproduce the same vulnerability where amalicious app canbypass active VPN configuration (no ROOT permissions required) and redirect secure data communications to a different network address. These communications are captured in CLEAR TEXT (no encryption), leaving the information completely exposed. This redirection can take place while leaving the user completely oblivious, believing the data is encrypted and secure.”

Researchers contacted Google with their findings. A video presentation of the attack can be viewed here. According to the researchers, the findings are based on the same vulnerability they demonstrated weeks ago on the Samsung Galaxy S4 phone to circumvent the protections available in the KNOX security solution.

Early this month, Google and Samsung downplayed the researchers’ report, noting that their exploit uses legitimate Google Android network functions “in an unintended way to intercept unencrypted network connections from/to applications on the mobile device” and did not demonstrate a vulnerability in KNOX or Android.

The researchers responded with a point-by-point refutation of the vendors’ joint response, noting among other things they had tested the attack on Samsung S4 devices “straight out of the box.”

“In the first finding we reported to Samsung the vulnerability details and an example exploit wherean attacker can intercept, block, and alter data communications (non SSL/TLS and non VPN),” the team explained in a blog post. “We also stressed the point that other kind of attacks can take place via the same vulnerability. In our continued investigation of the vulnerability we found that an attacker can, in fact, do much more harm. This finding revealed that an attacker can bypass the VPN (even if configured properly) and again, the secure communications can be intercepted in clear text.”

Once the vulnerability has been resolved, more details will be posted, the team blogged.